Lars Ewe is a technology executive with broad background in application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at AMD, where he was responsible for AMD's overall systems manageability and security strategy.

What are some of the web application vulnerabilities that are most difficult to detect using an automated tool and why?

What are the top 2-3 things you can do to tune your automated scanner for the best results when scanning your web applications?

Why don't people secure their web applications? Is is a lack of awareness or knowledge or both? Or is it that their risk analysis is way off and most people still think, "Oh, its just the web site, there's no sensitive data there" and ignore the client infection via the web site attacks.

With all of the Adobe Flash 0-days floating around, what can we do to identify vulnerabilities in Flash applications? Is HTML5 our saving grace?

What can we do to improve the web application developer process with respects to security, try to educate the developers or give them tools that make it easier to write secure applications?

Mini Tech Segment: Nessus Vulnerabilities By IP Address

Video

This is an extremely handy report to have. I remember using this report type long ago, and somewhere in the Nessus updates it was no longer provided. However, its back! Thanks to our awesome user community, and specifically Brian Olson. Brian created a stylesheet that lists each vulnerability found, and the IP addresses affected:

I like to create a filter for only the High level alerts, then use this report to review the results. To get the results you will need to copy the xsl file into your $Nessus_Home/var/www/nessus directory, then restart Nessus.

Tech Segment: "Executing from Memory" by Carlos Perez

Video

In the recent conference of Hack3rcon I covered the different arid on a disk than a attacker can leave behind that a crafty System Administrator or a Incident Response Team can find to start a baseline off events taken on a box. One may be called to do a pentest for the only reason to test Incident Response procedures and to exercise the IR team as part of an engagement. Many AV and HIPS monitor disk activity to look for disk activity to check what was written and analyze it making life difficult when one has to upload tools, place secondary connections back as backup of the main session. When one is in this type of environment one Meterpreter has several features that make it an important tool to have. This features are:

Memory Manipulation (Read and Write in a process memory)

Execution of executables from memory

Use of Windows API in the libraries and with Railgun.

This gives Meterpreter a good advantage in post-exploitation. All the regular commands in the Windows Version of Meterpreter run directly from memory no executable of the target is used to perform this tasks, only the necessary DLLs are loaded by the extensions. The same is done by Reailgun that permits an attacker to load systems DLL's in memory and use the functions on this DLL's to further extend Meterpreter capabilities. Now one of the biggest strengths that Metepreter has is the manipulation of memory on a target, this allows Meterpreter to manipulate the memory of it's own process or another process given a PID. Several Scripts exist for simplifying some of the tasks, some of this scripts are:
1. duplicate - For injecting a Meterpreter Reverse TCP Payload into a a process by name or PID, fi none is provided a notepad.exe process will be generated.
2. multi_meter_inject - For injecting on multiple processes a selected Meterpreter payload, you can specify names, pid's or a notepad.exe process will be generated for you.
3. process_memdump - for dumping a selected process by name or pid, you can also specify a list of processes in a text file and it will dump the memory for each one of those processes.
Lets cover the duplicate script first, to see the options of all meterpreter scripts the -h option is used:

meterpreter > run duplicate -h
OPTIONS:
-D Disable the automatic multi/handler (use with -r to accept on another system)
-P <opt> Process id to inject into; use instead of -e if multiple copies of one executable are running.
-e <opt> Executable to inject into. Default notepad.exe, will fall back to spawn if not found.
-h This help menu
-p <opt> The port on the remote host where Metasploit is listening (default: 4546)
-r <opt> The IP of a remote Metasploit listening for the connect back
-s Spawn new executable to inject to. Only useful with -P.
-w Write and execute an exe instead of injecting into a process

Very useful when you want to share a target with another consultant or test a connection to an external server. To generate a secondary session back your box you could just do:

One feature rarely used is execution in memory of an executable, this works by uploading the executable to the memory space of a dummy executable executed to hide the executable process or it will run in the memory space of the process where Meterpreter is running in:

if we do a netstat -nao on the target box we will see the connection back:

TCP 192.168.17.128:1057 192.168.17.1:4444 ESTABLISHED 308

very useful if other type of executables are used and other dummy files or under the current process.

Stories For Discussion

A solution to an old problem - No, not that kind. (uhhh, I have no idea…) Some time back I saw this article regarding hacking JBOSS with the JMX console, and I noted that they used a .war file specifically created to give them a command shell. Me, I wanted the .war file that they used and asked our readers for help. So, in my ongoing task of rebuilding my toolset after my change in employment, I rediscovered Laudanum from Secureideas. Guess what is there? yep, all the bits that you need for a jboss command shell, as well as other injectable files for ASP, Coldfusion, JSP and PHP. Expect more on this in the future :-)

Break into e-mail, steal nekkid pics, post to Facebook - [Larry] - This gentleman allegedly breaches about 3200 e-mail accounts after trolling Facebook for info to security questions (remember those questions going around, Mr. Johnson?) he was able to grab naked pictures of women from 170 accounts and allegedly post them to face book. Aside form the questions of, "Why don't I know these women?" and " "170 of 3200 accounts sounds like really good odds?" or "Where is this guy's Facebook account?" how about asking some other things, such as the contents of your sent items, and coming up with better security questions or better methods altogether.

Shodan and SCADA - [Larry] - Yet another reason SHODAN is awesome, even though it is dated information, it is still relevant. Nothing like using it to fingerprint and discover control systems directly connected to the internet (Noooo, that NEVER happens), using some fairly well known stuff such as vendor names and industry terms such as "PLC" in combination with some CIDR addresses. I think though, that digging into some deeper stuff would require sone decent knowledges of the devices, industry and vendors. Care to prove me wrong?

Dead Drops or Drop Dead? - [Larry] - Share files via USB humb drive cemented in walls, etc. Sounds like a great idea for spies, and an art installation. How long until these start showing up with malware or with less than honorable intent. Sounds like an interesting use of a PHUCKED device instead of storage.

Bruteforcing SSH Known_hosts Files - [Paul Asadoorian] - Xavier provides us with a fantastic article and new tool that covers brute forcing the hashed known_hosts files. His Perl script, given an IP address or hostname template, it will hash the values, then compare them to the hashes in the known hosts files. This is great if you are performing forensics or on a pen test. For example, if I compromise a DMZ host I can gather the IP subnet info and discover the hosts in known_hosts providing just the subnet info (e.g. ./known_hosts_bruteforcer.pl -i -s 192.168.0.0)

Shodan, SCADA, and good security advice - [Paul Asadoorian] - It should come as no suprise that you can use Shodan to find SCADA devices, even narrowing by IP address and port, then keying in on terms like PLC. The big problem I see here is not even that these devices are on the Internet, but if they are they are likely to not be very locked down. Digital bond recommends not only putting them behind the firewall, but also Virtual Private Networks (VPNs) for remote access, Removing, disabling, or renaming any default system accounts, account loackout, requiring strong passwords, monitoring account creations. I'd also add keeping up with the latest firmware, scrapping passwords in exchange for keypairs, using encrypted managment protocols, and even port knocking. If your device can survive on the Internet, you are in great shape in terms of security.

Checkpoint reboots UTM-1 for you - [Paul Asadoorian] - I think that rebooting has positive effects. Windows for sure, runs so much better when I reboot it! OS X, same thing! However, due to a timer that will roll over every 13.6 years, every device rebooted. I think its great when a vendor helps you perform regular maintenance. I know several groups, such as Windows administrators, that would schedule maintenance and reboot servers once a week or so.

Security Weekly Philisophical Moment - Some have said that we have created God in our minds to overcome our fear of death. Similar to how we have created compliance to overcome our fears of getting hacked. (Thanks to Ben)

Detecting Firesheep - [Paul Asadoorian] - Using scapy, the smart folks at Zscaler research have created a program to spoof the requests and fill up your Firesheep console. These guys are great, this is the type of defensive thinking that I'm all for, perfect example of offensive countermeasures.

New attack targets HTTP - [Paul Asadoorian] - this is very similar to slowlaris, except I've read that it is not-so-easily filtered. Could spell trouble for web sites for while, before people apply the patch. Of course, once the patch comes out, the tools will be create, carnage will ensue.

Most people don't even know what a rootkit is - [Security Weekly] - Its been 5 years since the Sony rootkit. I mean, on one hand, if you purchased a Celine Dion or Ricky Martin CD, you deserve it (Neil Diamond is is more than okay, I'm a huge fan! :) The quote that gets me is "Most people don't even know what a rootkit is, so why should they care about it" (Thomas Hesse, Sony BMG). Partly its our fault, we need to educate users beyond telling them "You have a rootkit, thats bad". On the other hand, we can't downplay the dangers just because a technical term like "rootkit" is used.

Call to arms for http-enum.nse - [Paul Asadoorian] - This is a fantastic script from Ron Bowes! It tortures web servers, enumerating directories and fingerprinting the web server and some of its web applications. The fingerprints file is a custom lua format that allows for it to do its job really well. Ron needs your help to populate the fingerprints file!